ESET Threat Blog

The Waledac botnet has been activated and it is now sending spam promoting videos of Independence Day, even if we are only July 3rd. They are using multiple web pages with titles like “Fourth of July Fireworks Shows”. Users wishing to view the video are asked to click an image that returns an executable and to then click “Run”. This of course won’t display any video but will infect the victim with the latest variant of Waledac. ESET detects this latest variant as Win32/Waledac.JT.

Thanks to Joan Calvet for his help on this research.

Pierre-Marc Bureau

Senior Researcher

We’ve just finished working on our monthly Threat Report. There aren’t many surprises in the top ten threats for June.

Conficker has taken over the "top spot", relegating INF/Autorun to second place. It’s difficult to say for sure what the significance is, given the relatively small percentage point involved: minor fluctuations in proportions from month to month can be ascribed to factors other than overall upward or downward trends. ThreatSense.Net® doesn’t distinguish between sources: it simply reports when it detects a Conficker infection attempt over any vector (network shares, USB etc).

As we’ve pointed out previously, the real story with Conficker is less the actual malware than the number of people who still aren’t taking elementary precautions such as timely patching and disabling Autorun, properly securing network shares and so on. I would guess that right now, the continuing prominence of Conficker in the ratings is due to lots of machines, mainly home machines or botnetted business machines, that are never patched or properly protected by AV, often because the owner doesn’t bother with all that, or maybe sometimes because of a longstanding infection that’s blocking patches and updates and has never been noticed.

 Rather more notable, perhaps is the entry of Win32/TrojanDownloader.Bredolab.AA into the top ten at number 10. I feel like a DJ when I make a statement like that… (but where will I get one at this time of the afternoon?)

This is an example of a class of application that is intended to act as an intermediary to the infective process. This particular detection label is applied to a range of variants that commonly inject themselves into running processes and attempt to disable some security processes, while creating a registry key that ensures that the program is run at every system startup. It communicates with its command and control (C&C) server over HTTP. This malware has been associated with other malware activity such as Gumblar and Win32/Wigon.

The question, what does this mean to you?

We’re seeing a great deal of this activity in combination with Flash (SWF) and Acrobat (PDF) exploits, so it’s more important than ever to keep up with Adobe updates and patches as well as Microsoft’s. (Nowadays it pays to keep an eye on new patches for any applications and utilities you use!) Having been somewhat negative about Adobe’s updating processes in the past, I really hope that Adobe’s new patching mechanisms, bringing them into line with Microsoft’s, will help to reduce the impact of these exploits in the longer term.

When a Trojan downloader is installed and active on a system, its main (or only) job is to download malware from a remote site, but it may make changes to the system such as those described above in order to increase its chances of doing so successfully. Other vendors describe different variant suffixes (.G, .HW etc.) as referring to this detection: however, because of the varying detection algorithms used by different vendors, it’s unlikely that there will be an exact match in all cases. Because of ESET’s heavy use of generic signatures and advanced heuristics, our detection label actually picks up many close variants and sub-variants.

As we’re halfway through the year, we’ve also provided a look back at the past few months, and hope you’ll find it useful or at least interesting.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

Researchers at ESET have reliable intelligence that the Waledac botnet is currently being prepared for a spam campaign around the Independence Day theme. They have registered at least 18 domain names all related to the theme of video, fireworks, and Independence Day. The criminals behind Waledac are preparing to start sending spam with links to supposed videos of Independence Day fireworks which are, in reality, fresh copies of the Waledac malware family. We estimate the size of Waledac’s botnet as tens of thousands of infected computers. We believe that more than 20,000 compromised computers will be used to send the malicious emails, in an effort to increase the size of the botnet. This effort will allow the criminals to send out even more spam. Currently, detection of the new variants of Waledac is quite low, with only a handful of antivirus products detecting the newest threat.

The Waledac family has been active since the end of 2008 and has been known to exploit events such as Christmas or Valentine’s day in order to spread in a way very similar to methods used by the infamous Storm Worm. Also, just like the Storm Worm, Waledac uses a peer-to-peer network to receive commands from its controllers. The main objective behind the Waledac operation is to use infected computers to send spam.

Consumers are reminded not to follow links in unsolicited emails, even if they appear to come from someone they know. As dangerous as fireworks can be, when used as directed, they are still safer than unsolicited emails!

Special thanks to Joan Calvet from Ecole Polytechnique of Montreal for his help on this research.

Pierre-Marc Bureau

Senior Researcher

Having worked quite a lot in recent years in the public sector in the UK, I’m not at all surprised that RIM (Research in Motion) is bullish about being assessed by CESG as suitable for use with restricted government data. However, it’s not altogether clear from the documentation published by RIM what this actually means.

Blackberry Enterprise Solution is considered to be "suitable for handling HMG [Her Majesty's Government] information protectively marked RESTRICTED (Impact Level 3). CESG (Communications-Electronics Security Group, though the expanded name is no longer used) is the Information Assurance arm of GCHQ (Government Communications Headquarters) Signals Intelligence lynchpin of national security. This standard of assurance is far from easy to achieve. However, RIM’s copious documentation, though accurate as far as it goes, doesn’t tell the whole story: the CESG page at http://www.cesg.gov.uk/find_a/cert_products/index.cfm?menuSelected=1&displayPage=152&id=436 gives a little more detail.

That information classification sounds pretty impressive, and so it is: however, it’s actually partway through an impact level matrix that ranges from zero impact in all respects (level 0) to various serious eventualities such as widespread loss of life, internal political stability, or "exceptionally grave damage to the operational effectiveness or security of UK or allied forces." Here are the issues that qualify as Impact Level 3:

• Risk to an individual’s personal safety or liberty
• Minor loss of confidence in Government
• Make it more difficult to maintain the operational effectiveness of security of UK or allied forces (e.g. compromise of UK forces doctrine or training materials).
• Cause embarrassment to Diplomatic relations
• Disadvantage a major UK Company
• Damage unique intelligence operations in support of intelligence requirements at
  JIC Priority Three or less.

Potentially serious issues, but they should  be seen in the context of the mapping of Impact Levels to standard protective markings, which classify the level of confidentiality that applies to protected data:

• Impact Level 6 – TOP SECRET
• Impact Level 5 SECRET
• Impact Level 4 CONFIDENTIAL
• Impact Level 3 RESTRICTED
• Impact Levels 1&2 PROTECT

In other words, this level of protection applies to data to which access is restricted, but it’s a long way down from top secret.

Clearly, this doesn’t mean that anyone in the UK public sector can use any Blackberry for any purpose. The CESG page makes it clear that "This advice is specific to Blackberry(R) Enterprise Solution and should not be construed as being more widely applicable." Furthermore, system administrators are expected to conform with CESG security procedures, and that is likely to involve disabling "features that affect the overall security of the solution".

The assessment only holds if "administrators and users adhere to the CESG security procedures". It’s also specifically stated that use of Blackberry GSM phone functionality should restricted to NOT PROTECTIVELY MARKED use.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

I’ve just been observing a slightly bizarre email thread about the whatdoestheinternetthink?net site, which is apparently aiming to be the place to go if you want a global enquiry tool to find out what the online world thinks about any given subject. You enter a search term, it submits to one or more search engines, and it comes back with a percentage score in three categories: positive, negative and ambivalent. (An actual search comes back with ”don’t care” rather than ambivalent, and I don’t think that’s quite the same thing, but let’s not be picky.)

Well, it’s reassuring to note that the search term “ESET” scores 94.3% positive at the moment whereas Symantec scores 30.2% , and McAfee a  heartrending 25%.  (Sorry  Mark, Igor et al! ) 

However, it seems that we’re all outclassed right now by Microsoft Security Essentials, with a resounding 100% approval. (I figured if I searched just on Microsoft, I’d get a lot of security-unrelated hits that would totally skew the results.) In fact, that last result may be skewed slightly by the fact that it’s apparently based on a single google hit. So much for the Wisdom of Crowds.

And that makes an interesting point about how to lie with statistics. I’m not much of a statistician, though my father was: his copy of Duff’s book was one of the first serious books I read. But you don’t need to know your mean from your median to realize that:

• A brand new pre-release product hasn’t had much time to generate negative opinions
• The bigger a company’s profile, the more comment will be made about it on the Internet (and in the real world, of course)
• There’s a likelihood that over time,  more adverse than positive comments will be made about a specific product, human nature being what it is
• You can get pretty much any positive result you want, if you’re prepared to spend time tweaking the search terms.

So even if we knew anything about the classification criteria and used by the site’s search algorithm, which we don’t, I wouldn’t advocate that you try to draw any real conclusions about the popularity or value of any vendor or product from this particular instance of lies, damned lies and statistics. Especially in the light of a little experiment carried out by a colleague at ESET UK (thanks, Quinton!): it turns out that people are overwhelmingly in favour of Ebola. Unfortunately, the site doesn’t tell us whether it’s the river, the virus, or the haemorrhagic fever that people are so fond of. Or maybe the fact that there are several musical acts, a cartoon web site and a movie with the same name tells us something. Maybe the algorithm needs a little work, guys. Or maybe some clarification as to what it actually does. Though to be fair, the disclaimer at the bottom does say that the results are provided as-is and are not reliable.

Given the mauling that John Lennon received in the 1960s after suggesting that the Beatles were more popular than Jesus, I think I’ll let you find out for yourselves whether a search on http://www.whatdoestheinternetthink.net supports that suggestion. Or for some real fun, try varying the search terms to see how easily you can skew the results either way.

And that’s a real problem: I can actually envisage people generating all sorts of spurious results in the way I did above and using them misleadingly in a PR context, in much the same way that they misuse VirusTotal statistics.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

• Use a combination of uppercase and lowercase letters, symbols, and numbers

• Make sure your passwords are at least eight characters long. The more characters your passwords contain, the more difficult they are to guess

• Try to make your passwords as meaningless and random as possible

• Use different passwords for each account

• Change your passwords regularly. Set up a routine, changing your passwords the first of each month or every other payday

• Never write your passwords down, and never give them out—to anyone.

• Don’t use names or numbers associated with you, such as a birth date or nickname.

• Don’t use your user name or login name in any form

• Don’t use a derivative of your name, the name of a family member, or the name of a pet

• Avoid using a solitary word in any language

• Don’t use the word password

• Avoid using easily-obtained personal information. This includes license plate numbers, telephone numbers, social security numbers, your automobile’s make or model, your street address, etc.

• Don’t answer yes when prompted to save your password to a particular computer. Instead, rely on a strong password committed to memory or stored in a dependable password management program

The news broke a short time ago that pop star Michael Jackson died of a heart attack. It is all too predictable that the bad guys will use this news event to spam out fake videos or links to alleged pictures in order to trick users into installing their malicious software.

If you receive an email about Michael Jackson simply delete it unless you know the sender and you verify (call, email or chat) the send sender actually did send it to you.

If you receive an IM about Michael Jackson and it has a link, ignore the link. Don’t click on it.

If you want to find real news about Michael Jackson then go to a real news site.

Don’t fall for the hoaxes in email, Instant Messenger (chat), tweets on Twitter, or other social networking sites.

Randy Abrams
Director of Technical Education

It’s often claimed that men think about sex very seven seconds. Sorry, where was I? Oh yes… I’m not sure where that pseudo-statistic comes from: apparently not from the Kinsey report as is often claimed, and a more recent poll, while reflecting perhaps more liberated views about sexuality than could be admitted to in the 1950s, actually suggests that 43% of men think about It several times a day, compared to the 54% cited by Kinsey. Perhaps we spend less time thinking about it nowadays because we have more opportunities to experience it.

Well, there are lots of exciting statistics to drool over at the two links above, but this is supposed to be a family blog. (Actually, it isn’t, but it’s not supposed to be salacious either!) What do dubious statistics about romping in the hay (too bad I have hay fever…) have to do with security?

An article in Computer Weekly started me thinking in this direction (in between thoughts about The Other – sorry, about other things). Apparently, nearly a third of professional workers have sent explicit emails, or dumped partners by email, according to a Proofpoint survey to which I haven’t seen a direct link. (I’m afraid the article doesn’t mention if the survey breaks those figures down by gender,  if that interests you. Furthermore, nearer 40% of respondents have apparently applied for jobs elsewhere from their work PCs.

Not everyone considers this sort of occasional misuse of company facilities to be a big security issue, of course. What is a major issue, though, is the average computer user’s apparent inability to distinguish between their work and private life. Well, I guess it’s one way to restore some semblance of normality to a workaholic’s work/life balance. But there are a whole load of security issues around it.

Businesses are increasingly paranoid about all sorts of online activity- not just social networking such as Facebook and Twitter, but older forms of file sharing and messaging. Not just because of the security risks associated with malware, social engineering, data leakage and so on, but because of less obvious risks such as potential damage to the company’s reputation, all manner of legal and compliance issues, duty of care to employees, and so on. No wonder employers like the city of Bozeman are tempted to overstep acceptable boundaries in attempt to monitor or even regulate their employee’s web activity. Bozeman’s officials apparently wanted to ride roughshod over their employees’ constitutional rights, but they do seem to have more of a grasp of the security problems associated with social networking than most employees do.

I’m relieved, however, to learn that the story about the memory span of a goldfish being just a few seconds is also a myth. It saves me wasting any more of my life wondering whether they have time to think about sex.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

I was recently reminded of the truism that security is about managing risk. You cannot eliminate all risk. When we think of cyber criminals we tend to think of phishers, criminal gangs writing malware to steal passwords, and eBay scammers. So we try to deal with “reputable” companies to eliminate the risk of theft and fraud, but as you will see, this does not always work out.

Cybercrime is simply crime using computers and/or the internet to commit crimes. There are a variety of variations on this definition, but I think this one works just fine.

Dealing with a reputable company can minimize your risk of fraud or theft, but it does not eliminate it. Before I get to my specific example, it may be useful to explain “Bait and switch”.

Bait and switch is essentially when a company offers a product at one price, but then fails to honor the offer. They may fail to honor the offer by offering an inferior product or by raising the price.

I recently booked a round trip flight from Frankfurt, Germany to Amsterdam, Holland on KLM airlines using the Northwest Airlines web site. Northwest Airlines sent an email confirming my purchase of the flight for the price of $313.63. The next thing Northwest airlines, who incidentally are the same as Delta Airlines now, did was to silently cancel my ticket. Northwest knew that I would be stranded in Frankfurt with my only real option being to pay KLM, who is also Air France, more than twice as much money to make my appointment in Holland.

This appears to be a particularly nefarious bait and switch scam in that the airlines know the customer can’t easily back out of the deal. One might say that it was an accident, but logically if it was an accident then Northwest Airlines would have accepted responsibility for the increased fare and refunded the difference since they were exclusively at fault for not notifying a passenger when they cancel a ticket. I contacted Northwest and their response was that they were sorry, but they would accept no responsibility for their actions. I would guess they have a pretty lucrative kickback scheme with Air France and that the money will be pretty hard to trace.

You can dramatically reduce risk by dealing with well known companies, but you can’t eliminate it. In this case, Northwest Airlines used the internet, which is how I booked my tickets, to perpetrate what appears to be a classic bait and switch scam.

I’ll figure out who the appropriate law enforcement agencies are and see what they think about it. In the mean while, I’ve filed a complaint with the Better Business Bureau.

Randy Abrams
Director of Technical Education
ESET LLC

I really didn’t think that Microsoft’s beta AV product would necessitate three blogs: it is, after all, just a beta release. However, I was surprised just now to read an article by Mark Mayne of SC Magazine that claims the product is “going head-to-head with a range of AV vendors, from Symantec and McAfee through to AVG and Eset [sic]“, and suggesting that “the market incumbents will be watching this beta with interest, if not concern.”

I’m not surprised at the content of the suggestion: after all, I just touched on it in my previous blog. I’m a little more surprised that it was aired by SC, which actually has roots in the antivirus industry (though you wouldn’t think so to read it now) and usually has a more balanced view of what we now prefer to call the anti-malware industry. So let me tell you (again) why I think those statements are misleading.

Microsoft is already going head-to-head against the rest of the industry in the enterprise market, with a product range that includes anti-malware and much else, but is very definitely not free.

What we’re expecting to see today is a beta test version of a limited product that will eventually be a production version of a free but limited product. That’s not a market that most of us are in. AVG (among others) do have a free (but limited) product: we don’t, though we do have a free online scanner here, as do other vendors. Why do vendors do this? Well, hopefully, some users of free products and services will find that they actually need a full commercial solution and think about upgrading. But it’s also a practical and (at least in part) altruistic issue: it’s better to give something free to people who wouldn’t use a commercial product and reduce their exposure (and everyone else’s) to malware.

However, it seems bizarre to me to suggest a head-to-head between competing free products. Where we’re really in competition is in the product ranges that actually keep us in business, and that’s a much more diverse and complex market sector than Mark is implying.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence